# 1. Register a new unique user POST http://localhost:3333/register [FormParams] email: test_user@debian.org password: supersecretpassword HTTP 200 [Captures] access_token: jsonpath "$.access_token" refresh_token: jsonpath "$.refresh_token" # 2. Access a protected route with the first token GET http://localhost:3333/home Authorization: Bearer {{access_token}} HTTP 200 [Asserts] jsonpath "$.status" == "authenticated" # 3. Refresh the tokens POST http://localhost:3333/refresh Content-Type: application/json { "refresh_token": "{{refresh_token}}" } HTTP 200 [Captures] # Overwrite with the fresh tokens next_access_token: jsonpath "$.access_token" next_refresh_token: jsonpath "$.refresh_token" [Asserts] # Now compare the two distinct variable names variable "next_refresh_token" != "{{refresh_token}}" # 4. Access the protected route again with the NEW access token GET http://localhost:3333/home Authorization: Bearer {{next_access_token}} HTTP 200 [Asserts] jsonpath "$.status" == "authenticated" # Log out user to clean table of tokens etc POST http://localhost:3333/logout Content-Type: application/json { "refresh_token": "{{next_refresh_token}}" } HTTP 200 [Asserts] jsonpath "$.message" == "logout success"